Recipe 6.14 Tunneling Another TCP Session Through SSH

6.14.1 Problem

You want to secure a client/server TCP
connection such as POP, IMAP, NNTP (Usenet news), IRC, VNC, etc. Both
the client and server must reside on computers that run SSH.

6.14.2 Solution

Tunnel (forward) the TCP connection through SSH. To secure port 119,
the NNTP protocol for Usenet news, which you read remotely from
news.example.com:

$ ssh -f -N -L12345:localhost:119 news.example.com

While this tunnel is open, read news via local port 12345, e.g.:

$ export NNTPSERVER=localhost
$ tin -r -p 12345

6.14.3 Discussion

Tunneling or port forwarding uses SSH to secure another TCP/IP
connection, such as an NNTP or IMAP connection. You first create a
tunnel, a secure connection between an SSH client and server. Then
you make your TCP/IP applications (client and server) communicate
over the tunnel, as in Figure 6-1. SSH makes this
process mostly transparent.

Figure 6-1. SSH forwarding or tunneling

The SSH command:

$ ssh -f -N -L12345:localhost:119 news.example.com

establishes a tunnel between localhost and news.example.com. The tunnel has three
segments:

The newsreader on your local machine sends data to local port 12345.
This occurs entirely on your local machine, not over the network.

The local SSH client reads port 12345, encrypts the data, and sends
it through the tunnel to the remote SSH server on news.example.com.

The remote SSH server on news.example.com decrypts the data and
passes it to the news server running on port 119. This runs entirely
on news.example.com, not
over the network.